Turnstile Spin
Turnstile Spin is a setup flow for Cloudflare Turnstile. It creates the widget for you, then hands your AI coding agent the materials (sitekey, secret, and a curated prompt) to embed the widget on the right forms and wire canonical server-side siteverify into your existing backend. Spin runs three ways:
- From the Cloudflare dashboard. Enter your domains, select Set up, and Spin creates the widget server-side. You receive the sitekey, the secret, and a prompt for your AI coding agent.
- From the Wrangler CLI. Run
wrangler turnstile widget createto create the widget from your terminal. Wrangler prints the sitekey and secret; you wire the widget and siteverify by hand. - From your AI coding agent. Paste a single prompt into Claude Code, Cursor, Codex, OpenCode, or GitHub Copilot Chat. The agent uses the inlined Spin skill to create the widget, embed it, and wire siteverify in your codebase.
All three paths produce the same widget. The only difference is where the create call runs. None of them deploy infrastructure on your behalf. Spin uses Turnstile's canonical siteverify endpoint, called from the backend you already have.
-
Go to the Turnstile dashboard.
Go to Turnstile -
Select Set up with Spin in the page header.
-
Enter the domains your Turnstile widget should accept tokens from. The first chip is pre-filled from your account's first active Cloudflare zone. Add more domains, or remove the pre-filled one and type any domain (Turnstile does not require a Cloudflare-managed zone).
localhostand127.0.0.1are added automatically for local development. -
Select Set up. Spin creates the widget and returns to a success card.
-
When setup completes, copy:
- The sitekey (use as
data-sitekeyon your Turnstile widget HTML). - The secret (store as
TURNSTILE_SECRETin your backend's env or secret manager). - The agent prompt (paste into your AI coding agent to embed the widget and add the canonical siteverify call to your existing backend handler).
- The sitekey (use as
If Spin fails before it finishes, the dialog shows the error and offers a fallback prompt your AI coding agent can use to drive the same setup from your editor. Select Try again to retry from the same dialog.
If you prefer to drive setup from your terminal without an AI coding agent, use Wrangler:
npx wrangler turnstile widget create "myproject" \ --domain example.com \ --domain localhost \ --domain 127.0.0.1 \ --mode managedWrangler prints the sitekey and the secret. Copy the sitekey into your widget HTML, store the secret as TURNSTILE_SECRET in your backend's env, and wire the canonical siteverify call as described in Wire up the frontend.
Additional widget commands:
| Command | Purpose |
|---|---|
wrangler turnstile widget list | List every Turnstile widget on your account. |
wrangler turnstile widget get <sitekey> | Fetch a widget's configuration, including its secret. |
wrangler turnstile widget update <sitekey> --domain <d> | Update the domains, mode, or name of a widget. |
wrangler turnstile widget delete <sitekey> | Delete a widget. Pass -y to skip the confirmation prompt. |
All commands accept --json for machine-readable output. --domain accepts comma-separated values (--domain a.com,b.com) or repeated flags (--domain a.com --domain b.com).
If you do not see the Set up with Spin button in your dashboard, or you want your agent to embed the widget and wire siteverify into your codebase in the same pass, paste this prompt into your AI coding agent:
-
Open your AI coding agent in your project (Claude Code, Cursor, Codex, OpenCode, GitHub Copilot Chat).
-
Paste this prompt into your agent:
Spin prompt Set up Cloudflare Turnstile in this project end to end. Plan insertion points, create the widget, embed it on the right forms, wire canonical server-side siteverify in my existing backend, and validate the integration.The full Turnstile Spin skill is at https://developers.cloudflare.com/turnstile/spin/prompt.md. Fetch it now if you do not already have it loaded.Domains: <DOMAINS>Insertion preference: <every form | only specific form>Replace
<DOMAINS>with your site domains (comma-separated, no spaces; includelocalhost,127.0.0.1for local development). Replace<insertion preference>with the form(s) or route(s) you want to protect, for exampleevery form,only the signup form, oronly /login and /signup. -
Confirm as the agent goes. The agent checks authentication, proposes widget names, and asks you to confirm before any irreversible step.
-
Validate. When the agent finishes, it runs a dummy-token siteverify against
challenges.cloudflare.comusing your secret to confirm the widget and secret are wired correctly.
If you would rather install the skill locally first so the agent has it on disk:
# Claude Codemkdir -p .claude/skills/turnstile-spin && \ curl -sSL https://developers.cloudflare.com/turnstile/spin/prompt.md \ -o .claude/skills/turnstile-spin/SKILL.md
# Cursormkdir -p .cursor/rules && \ curl -sSL https://developers.cloudflare.com/turnstile/spin/prompt.md \ -o .cursor/rules/turnstile-spin.md
# OpenCodemkdir -p .opencode/skills/turnstile-spin && \ curl -sSL https://developers.cloudflare.com/turnstile/spin/prompt.md \ -o .opencode/skills/turnstile-spin/SKILL.mdThen prompt your agent: Use the turnstile-spin skill to add Turnstile to this project.
The agent does not run silently. It detects what it can, asks only when it has to, and confirms before every irreversible step. The flow is a twelve-step wizard with several confirmation points.
| Step | What happens | Confirms with you? |
|---|---|---|
| 1 | Acknowledge (agent restates what it is about to do) | Yes |
| 2 | CLI check (wrangler if present; otherwise falls through to curl) | No |
| 3 | Authentication (Account.Turnstile:Edit token) | If a token is needed |
| 4 | Account selection (if you have more than one) | If more than one |
| 5 | Domain | Yes |
| 6 | Codebase scan (frontend framework + backend handler + existing CAPTCHA) | No |
| 7 | Insertion plan | Yes |
| 8 | Widget creation (calls the Cloudflare API to create the widget) | No (after step 7 confirms scope) |
| 9 | Embed the widget + add canonical siteverify in your existing backend | Yes |
| 10 | Validate (dummy-token siteverify + widget hostname check) | No |
| 11 | Persist the skill locally (so the agent can re-run on follow-up tasks) | Yes |
| 12 | Final report | No |
If anything fails, the agent reports which step and what it tried. Most failures are recoverable by adjusting one input (token scope, domain list, insertion file) and asking the agent to resume.
Whichever setup path you use, Spin gives you a sitekey and a secret. The dashboard hands you a prompt for your AI coding agent. The Wrangler CLI prints them for you to wire by hand. The AI-agent setup edits your files directly.
If you set up from the dashboard and want to wire it by hand, the minimal pattern is:
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script><form action="/api/subscribe" method="POST"> <input name="email" type="email" required /> <div class="cf-turnstile" data-sitekey="YOUR_SITEKEY" data-action="turnstile-spin-v2" ></div> <button type="submit">Submit</button></form>In your existing backend handler for /api/subscribe, call canonical siteverify and gate the rest of the handler on success === true:
const token = request.body["cf-turnstile-response"];const r = await fetch( "https://challenges.cloudflare.com/turnstile/v0/siteverify", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams({ secret: process.env.TURNSTILE_SECRET, response: token, remoteip: request.ip, }), },);const { success } = await r.json();if (!success) { return new Response("forbidden", { status: 403 });}// existing handler logic runs here, unchangedEquivalent calls in other backend languages (Ruby, Python, Go, PHP) are in the per-framework references shipped with the skill. The canonical fetch idiom works inside a Cloudflare Worker the same way it does in Node; no special binding is required. The data-action="turnstile-spin-v2" attribute is the telemetry marker; refer to Telemetry marker for the marker convention.
If you already have a Turnstile widget without server-side siteverify wired up, recover it from the dashboard. A banner appears above the widgets table when a widget has no matching siteverify traffic; select Fix with Spin to get a curated agent prompt that targets your existing widget. The prompt tells your AI coding agent to fetch the secret via API (no rotation), embed the widget on the right forms, and add the canonical siteverify call to your existing backend.
If you do not see the Fix with Spin banner in your dashboard, drive the same recovery from your AI coding agent directly. Paste this prompt:
I already have a Turnstile widget. The site key is <SITEKEY>. Use the turnstile-spin skill to wire siteverify against the existing widget: fetch the secret via the Cloudflare API (don't rotate), embed the widget on the right forms, and add canonical server-side siteverify to my existing backend.The sitekey does not change. Your existing widget keeps working throughout.
Use the AI-agent setup for migrations. The agent detects reCAPTCHA or hCaptcha in your codebase and proposes a substitution. The substitution rules are:
- Replace script tags with
https://challenges.cloudflare.com/turnstile/v0/api.js(async defer). - Replace
class="g-recaptcha"orclass="h-captcha"divs withclass="cf-turnstile". Updatedata-sitekeyto the new Turnstile site key. - Remove any manually-added
<input type="hidden" name="g-recaptcha-response">orname="h-captcha-response"elements. Turnstile renders its own hidden input namedcf-turnstile-responseautomatically. - Backend siteverify URL points at
https://challenges.cloudflare.com/turnstile/v0/siteverify. DropRECAPTCHA_SECRETorHCAPTCHA_SECRETenv vars; addTURNSTILE_SECRET. The response shape is{ success, error-codes, hostname, action, cdata }.
Two edge cases to flag to the agent. First, reCAPTCHA v3 score thresholds do not translate: Turnstile has no score, so migrated code rejects on success === false rather than a numeric threshold. Second, do not auto-migrate reCAPTCHA Enterprise; refer to the Cloudflare migration guide for reCAPTCHA instead.
The agent ships with frontend snippets for vanilla HTML, Next.js (App Router and Pages Router), Astro, SvelteKit, and Hugo. For other frameworks, the agent falls back to a generic vanilla-HTML pattern and asks you to confirm placement.
For Cloudflare Pages projects, the agent wires siteverify inside a Pages Function, or recommends the Pages Plugin for Turnstile when you'd rather use a built-in plugin than write the call yourself.
For Cloudflare Workers backends, the agent writes the canonical fetch call directly into the Worker's request handler.
| Field | Type | Purpose |
|---|---|---|
sitekey | string | Public identifier. Embedded in the widget HTML on every page. |
secret | string | Server-only. Stored as TURNSTILE_SECRET in your backend env. |
domains | array | The hostnames Turnstile accepts tokens from for this widget. |
mode | string | managed (default), non-interactive, or invisible. |
Spin-tagged widgets emit an account-level marker so Cloudflare can measure activation rates and time-to-first-siteverify for Spin-flowed widgets compared to manual ones. The marker is account-level and aggregate. No PII, no per-user tracking. Refer to the Turnstile privacy addendum ↗.
data-action value | Set by |
|---|---|
turnstile-spin-v2 | Current Spin flow (dashboard Set up with Spin + Wrangler CLI + AI-agent skill, all variants) |
turnstile-spin-v1 | Legacy V1 agent flow. Preserved if encountered on an existing widget; not used for new setups. |
Spin applies the marker automatically. If you edit the widget snippet by hand and remove the attribute, the integration still works; only the analytics segmentation is lost.
cloudflare/skills↗: skills bundle, includesturnstile-spin/- Turnstile server-side validation
- Test site keys and secrets
- Pages Plugin for Turnstile
- Workers secrets
- Cloudflare Radar bot traffic ↗
- Cloudflare Docs for Agents